Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/kyrylr/iden3-voting

Last synced: 2 days ago
JSON representation

Host: GitHub
URL: https://github.com/kyrylr/iden3-voting
Owner: KyrylR
License: mit
Created: 2023-10-15T18:23:29.000Z (about 1 year ago)
Default Branch: main
Last Pushed: 2024-06-02T15:39:38.000Z (7 months ago)
Last Synced: 2024-11-10T04:36:56.621Z (about 1 month ago)
Language: Vue
Size: 16.8 MB
Stars: 0
Watchers: 1
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# Voting service ensuring anonymity

## Notice

This project is a PoC for the "Розробка платформи для забезпечення приватних транзакцій в мережі Ethereum". This project demonstrates how the Commitment-Nullifier Scheme can be used to ensure anonymity in voting. However, it does not fully implement all of the functionality mentioned in the paper due to the complexity and cutting-edge technologies involved.

## Overview

This project comprises three main components:

1. **Circom Schemes**: Utilized for specific cryptographic needs.
2. **Smart Contracts in Solidity**: Deployed for handling blockchain-based operations.
3. **Frontend using Vue 3**: Ensures a responsive and interactive user interface.

Together, these components form a unique system known as the **Decentralized Anonymous Voting**.

## Security Considerations

In the system, there is no trusted party.
Users MUST rely on themselves while interacting with the system.
Each part of the system, including the contract, can be verified and operated manually by the user.
This means they do not need to trust hosted services. Contracts can be verified on-chain for consistency.

So, the overarching principle is to trust no one's word outright and to conduct your own research before using the service.

## Connection Guide

To interact with the system:

1. **MetaMask Requirement**: Ensure you have MetaMask installed. It's crucial as it provides the provider used to retrieve data from the blockchain.
2. **Blockchain Network Connection**:
- Visit the official blockchain website: [https://hq.q.org/](https://hq.q.org/).
- Click on "Connect MetaMask" to join the network.

The system is deployed on the testnet and functions as follows:

### Performance Report

Overall, the performance of the site is fast.

##### Detailed Analysis

##### Blockchain Interaction
- The most time-consuming part is interacting with the blockchain and voting for transaction confirmations.
- Average time taken: **5 seconds** (Blocks are mined in 5-second periods).

##### Proof Generation
- Independent of blockchain interaction.
- Time taken: **1 to 2 seconds**, varying based on computer capabilities.

##### Information Update Frequency
- Details on proposals are updated every **3 seconds**.
- This is the maximum delay a user may experience while waiting to view proposal details.

#### Conclusion
These observations comprehensively describe the performance of the application for anonymous voting.

### User Interaction

1. **Creating a Proposal**: A user can initiate a proposal. The target of the proposal can be any context within the Blockchain.
2. **Proposal Commitment**:
- Others can commit to the proposal by providing a hashed value (using Poseidon hash function) of two large random numbers: `secret` and `nullifier`.
- This can be represented as `hash(secret | nullifier)`, where `|` is the concatenation.
- A fee of 1 ETH is required for the proposal commitment.
3. **Voting Phase**:
- Post the commitment phase, the voting phase commences.
- Users must provide an inclusion proof that their commitment was counted in the commitment phase.
- Users can vote from any account, provided they supply the correct ZKP proof.
- If the voting passes, the proposal can be executed by anyone.

## Chapter: Security Considerations

### Client-Side Security

- Secrets never leave the client device and are always stored locally.

### Circom Circuit Code Example

```circom
// Code for ensuring integrity in the voting process
signal voterSquare <== voter;
signal proposalIdSquare <== proposalId;
```

This code ensures that only the proposal creator can use the generated proof. Each commitment is tied to a specific proposal.
#### Potential Threats and Mitigations

> Check out the autogenerated contract security report by Solhint at the end of this README. All the issues pertain to
code style and not to the security of the contracts. Therefore, the contracts are safe to use in production. Time-related
issues can be negligible, as the specific error mentioned in the report is related to relying on a specific timepoint.
However, in our case, we rely on time periods, which are safe and cannot be manipulated by miners too much without violating
the protocol specification.

* DDoS via Proposal Commitments: While a DDoS attack is possible by creating numerous commitments, the high fee (1 ETH) and proposal relevance act as deterrents.
* Additional Protection: In real-world scenarios, further safeguards like limiting commitments to a predefined group of experts could be implemented.

### Overall Security

The system is secure, demonstrating the potential of Zero-Knowledge Proofs (ZKP) in future applications.
Vulnerabilities like frontrunning or tree root manipulation in smart contracts are not feasible in this setup.

#### Contract Security Report

```txt
./contracts/mock/tokens/ERC20Mock.sol
4:1 warning global import of path @openzeppelin/contracts/token/ERC20/ERC20.sol is not allowed. Specify names to import individually or bind all exports of the module into a name (import "path" as Name) no-global-import
9:5 warning Explicitly mark visibility in function (Set ignoreConstructors to true if using solidity >=0.7.0) func-visibility

./contracts/utils/IncrementalMerkleTree.sol
13:5 warning Explicitly mark visibility in function (Set ignoreConstructors to true if using solidity >=0.7.0) func-visibility

./contracts/utils/PoseidonIMT.sol
12:5 warning Explicitly mark visibility in function (Set ignoreConstructors to true if using solidity >=0.7.0) func-visibility

./contracts/utils/Verifier.sol
21:1 warning Compiler version >=0.7.0 <0.9.0
25:5 warning Explicitly mark visibility of state
25:5 warning Constant name must be in capitalized SNAKE_CASE
28:5 warning Explicitly mark visibility of state
28:5 warning Constant name must be in capitalized SNAKE_CASE
32:5 warning Explicitly mark visibility of state
32:5 warning Constant name must be in capitalized SNAKE_CASE
34:5 warning Explicitly mark visibility of state
34:5 warning Constant name must be in capitalized SNAKE_CASE
36:5 warning Explicitly mark visibility of state
36:5 warning Constant name must be in capitalized SNAKE_CASE
38:5 warning Explicitly mark visibility of state
38:5 warning Constant name must be in capitalized SNAKE_CASE
40:5 warning Explicitly mark visibility of state
40:5 warning Constant name must be in capitalized SNAKE_CASE
42:5 warning Explicitly mark visibility of state
42:5 warning Constant name must be in capitalized SNAKE_CASE
44:5 warning Explicitly mark visibility of state
44:5 warning Constant name must be in capitalized SNAKE_CASE
46:5 warning Explicitly mark visibility of state
46:5 warning Constant name must be in capitalized SNAKE_CASE
48:5 warning Explicitly mark visibility of state
48:5 warning Constant name must be in capitalized SNAKE_CASE
50:5 warning Explicitly mark visibility of state
50:5 warning Constant name must be in capitalized SNAKE_CASE
52:5 warning Explicitly mark visibility of state
52:5 warning Constant name must be in capitalized SNAKE_CASE
54:5 warning Explicitly mark visibility of state
54:5 warning Constant name must be in capitalized SNAKE_CASE
56:5 warning Explicitly mark visibility of state
56:5 warning Constant name must be in capitalized SNAKE_CASE
58:5 warning Explicitly mark visibility of state
58:5 warning Constant name must be in capitalized SNAKE_CASE
61:5 warning Explicitly mark visibility of state
61:5 warning Constant name must be in capitalized SNAKE_CASE
63:5 warning Explicitly mark visibility of state
63:5 warning Constant name must be in capitalized SNAKE_CASE
66:5 warning Explicitly mark visibility of state
66:5 warning Constant name must be in capitalized SNAKE_CASE
68:5 warning Explicitly mark visibility of state
68:5 warning Constant name must be in capitalized SNAKE_CASE
71:5 warning Explicitly mark visibility of state
71:5 warning Constant name must be in capitalized SNAKE_CASE
73:5 warning Explicitly mark visibility of state
73:5 warning Constant name must be in capitalized SNAKE_CASE
76:5 warning Explicitly mark visibility of state
76:5 warning Constant name must be in capitalized SNAKE_CASE
78:5 warning Explicitly mark visibility of state
78:5 warning Constant name must be in capitalized SNAKE_CASE
81:5 warning Explicitly mark visibility of state
81:5 warning Constant name must be in capitalized SNAKE_CASE
83:5 warning Explicitly mark visibility of state
83:5 warning Constant name must be in capitalized SNAKE_CASE
87:5 warning Explicitly mark visibility of state
87:5 warning Constant name must be in capitalized SNAKE_CASE
88:5 warning Explicitly mark visibility of state
88:5 warning Constant name must be in capitalized SNAKE_CASE
90:5 warning Explicitly mark visibility of state
90:5 warning Constant name must be in capitalized SNAKE_CASE
93:9 warning Rule is set with explicit type [var/s: uint]
94:9 warning Rule is set with explicit type [var/s: uint]
95:9 warning Rule is set with explicit type [var/s: uint]
96:9 warning Rule is set with explicit type [var/s: uint]
98:9 warning Avoid to use inline assembly. It is does not satisfy the ^0.8.0 semver requirement compiler-version state-visibility const-name-snakecase state-visibility const-name-snakecase state-visibility const-name-snakecase state-visibility const-name-snakecase state-visibility const-name-snakecase state-visibility const-name-snakecase state-visibility const-name-snakecase state-visibility const-name-snakecase state-visibility const-name-snakecase state-visibility const-name-snakecase state-visibility const-name-snakecase state-visibility const-name-snakecase state-visibility const-name-snakecase state-visibility const-name-snakecase state-visibility const-name-snakecase state-visibility const-name-snakecase state-visibility const-name-snakecase state-visibility const-name-snakecase state-visibility const-name-snakecase state-visibility const-name-snakecase state-visibility const-name-snakecase state-visibility const-name-snakecase state-visibility const-name-snakecase state-visibility const-name-snakecase state-visibility const-name-snakecase state-visibility const-name-snakecase state-visibility const-name-snakecase state-visibility const-name-snakecase state-visibility const-name-snakecase explicit-types explicit-types explicit-types explicit-types acceptable only in rare cases no-inline-assembly

./contracts/Voting.sol
129:9 warning Error message for require is too long: 35 counted / 32 allowed reason-string
129:9 warning Use Custom Errors instead of require statements custom-errors
140:5 warning Explicitly mark visibility in function (Set ignoreConstructors to true if using solidity >=0.7.0) func-visibility
162:9 warning Error message for require is too long: 37 counted / 32 allowed reason-string
162:9 warning Use Custom Errors instead of require statements custom-errors
166:9 warning Error message for require is too long: 33 counted / 32 allowed reason-string
166:9 warning Use Custom Errors instead of require statements custom-errors
191:9 warning Error message for require is too long: 48 counted / 32 allowed reason-string
191:9 warning Use Custom Errors instead of require statements custom-errors
195:9 warning Error message for require is too long: 44 counted / 32 allowed reason-string
195:9 warning Use Custom Errors instead of require statements custom-errors
196:9 warning Error message for require is too long: 56 counted / 32 allowed reason-string
196:9 warning Use Custom Errors instead of require statements custom-errors
208:46 warning Avoid making time-based decisions in your business logic not-rely-on-time
240:9 warning Use Custom Errors instead of require statements custom-errors
241:9 warning Error message for require is too long: 33 counted / 32 allowed reason-string
241:9 warning Use Custom Errors instead of require statements custom-errors
246:9 warning Use Custom Errors instead of require statements custom-errors
283:9 warning Use Custom Errors instead of require statements custom-errors
284:9 warning Use Custom Errors instead of require statements custom-errors
286:9 warning Use Custom Errors instead of require statements custom-errors
305:9 warning Use Custom Errors instead of require statements custom-errors
333:9 warning Use Custom Errors instead of require statements custom-errors
341:29 warning Avoid to use low level calls avoid-low-level-calls
342:9 warning Error message for require is too long: 33 counted / 32 allowed reason-string
342:9 warning Use Custom Errors instead of require statements custom-errors
356:13 warning Avoid making time-based decisions in your business logic not-rely-on-time
360:13 warning Avoid making time-based decisions in your business logic not-rely-on-time
380:13 warning Avoid making time-based decisions in your business logic not-rely-on-time

✖ 97 problems (0 errors, 97 warnings)
```